Opened 6 years ago

Closed 6 years ago

#6664 closed enhancement (fixed)

ntp-4.2.8p3

Reported by: Fernando de Oliveira Owned by: bdubbs@…
Priority: normal Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz

http://bk1.ntp.org/ntp-stable/NEWS

NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 

Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second
improvements.

Severity: MEDIUM

Security Fix:

* [Sec 2853] Crafted remote config packet can crash some versions of
  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.

Under specific circumstances an attacker can send a crafted packet to
cause a vulnerable ntpd instance to crash. This requires each of the
following to be true:

1) ntpd set up to allow remote configuration (not allowed by default),
   and
2) knowledge of the configuration password, and
3) access to a computer entrusted to perform remote configuration. 

This vulnerability is considered low-risk.

New features in this release:

Optional (disabled by default) support to have ntpd provide smeared leap
second time.  A specially built and configured ntpd will only offer
smeared time in response to client packets.  These response packets will
also contain a "refid" of 254.a.b.c, where the 24 bits of a, b, and c
encode the amount of smear in a 2:22 integer:fraction format.  See
README.leapsmear and http://bugs.ntp.org/2855 for more information.

   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*

We've imported the Unity test framework, and have begun converting the
existing google-test items to this new framework.  If you want to write
new tests or change old ones, you'll need to have ruby installed.  You
don't need ruby to run the test suite.

Bug Fixes and Improvements:

* CID 739725: Fix a rare resource leak in libevent/listener.c.
* CID 1295478: Quiet a pedantic potential error from the fix for Bug
  2776.
* CID 1296235: Fix refclock_jjy.c and correcting type of the
  driver40-ja.html
* CID 1269537: Clean up a line of dead code in getShmTime().
* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
* [Bug 2590] autogen-5.18.5.
* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
  of 'limited'.
* [Bug 2650] fix includefile processing.
* [Bug 2745] ntpd -x steps clock on leap second
   Fixed an initial-value problem that caused misbehaviour in absence of
   any leapsecond information.
   Do leap second stepping only of the step adjustment is beyond the
   proper jump distance limit and step correction is allowed at all.
* [Bug 2750] build for Win64
  Building for 32bit of loopback ppsapi needs def file
* [Bug 2776] Improve ntpq's 'help keytype'.
* [Bug 2778] Implement "apeers"  ntpq command to include associd.
* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
  interface is ignored as long as this flag is not set since the
  interface is not usable (e.g., no link).
* [Bug 2794] Clean up kernel clock status reports.
* [Bug 2800] refclock_true.c true_debug() can't open debug log because
  of incompatible open/fdopen parameters.
* [Bug 2804] install-local-data assumes GNU 'find' semantics.
* [Bug 2805] ntpd fails to join multicast group.
* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
* [Bug 2808] GPSD_JSON driver enhancements, step 1.
  Fix crash during cleanup if GPS device not present and char device.
  Increase internal token buffer to parse all JSON data, even SKY.
  Defer logging of errors during driver init until the first unit is
  started, so the syslog is not cluttered when the driver is not used.
  Various improvements, see http://bugs.ntp.org/2808 for details.
  Changed libjsmn to a more recent version.
* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
* [Bug 2824] Convert update-leap to perl. (also see 2769)
* [Bug 2825] Quiet file installation in html/ .
* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via
  autokey
   NTPD transfers the current TAI (instead of an announcement) now.
   This might still needed improvement.
   Update autokey data ASAP when 'sys_tai' changes.
   Fix unit test that was broken by changes for autokey update.
   Avoid potential signature length issue and use DPRINTF where possible
     in ntp_crypto.c.
* [Bug 2832] refclock_jjy.c supports the TDC-300.
* [Bug 2834] Correct a broken html tag in html/refclock.html
* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
  robust, and require 2 consecutive timestamps to be consistent.
* [Bug 2837] Allow a configurable DSCP value.
* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
* [Bug 2842] Bug in mdoc2man.
* [Bug 2843] make check fails on 4.3.36
   Fixed compiler warnings about numeric range overflow
   (The original topic was fixed in a byplay to bug#2830)
* [Bug 2845] Harden memory allocation in ntpd.
* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
* [Bug 2856] ntpd should wait() on terminated child processes.  Paul
  Green.
* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
* html/drivers/driver22.html: typo fix.  Harlan Stenn.
* refidsmear test cleanup.  Tomasz Flendrich.
* refidsmear function support and tests.  Harlan Stenn.
* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
  something that was only in the 4.2.6 sntp.  Harlan Stenn.
* Modified tests/bug-2803/Makefile.am so it builds Unity framework
  tests.  Damir Tomić
* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
  Damir Tomić
* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
  Damir Tomić
* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen
  Perlinger.
* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
  Damir Tomić
* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
  networking.c, keyFile.c, utilities.cpp, sntptest.h,
  fileHandlingTest.h. Damir Tomić
* Initial support for experimental leap smear code.  Harlan Stenn.
* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
* Report select() debug messages at debug level 3 now.
* sntp/scripts/genLocInfo: treat raspbian as debian.
* Unity test framework fixes.
  ** Requires ruby for changes to tests.
* Initial support for PACKAGE_VERSION tests.
* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
* tests/bug-2803/Makefile.am must distribute bug-2803.h.
* Add an assert to the ntpq ifstats code.
* Clean up the RLIMIT_STACK code.
* Improve the ntpq documentation around the controlkey keyid.
* ntpq.c cleanup.
* Windows port build cleanup.

http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

Partially reproduced below

June 2015 NTP Security Vulnerability Announcement (Minor)

NTF's NTP Project has been notified of a minor vulnerability in the
processing of a crafted remote-configuration packet. Remote
configuration is disabled by default. This issue was discovered and
reported byAleksis Kauppinen of Codenomicon.

ntpd control message crash: Crafted NUL-byte in configuration directive.

    Date Resolved: Stable (4.2.8p3) 29 Jun 2015
    References: Sec 2853/ CVE-2015-5146 / VU#668167 / CERT-FI Case
    829967
    Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up
    to, but not including 4.3.25
    CVSS: (AV:A/AC:M/Au:S/C:P/I:P/A:P) Base Score: 4.9 at likely worst,
    1.4 or less at likely best
    Summary: Under limited and specific circumstances an attacker can
    send a crafted packet to cause a vulnerable ntpd instance to crash.
    This requires each of the following to be true:
        1. ntpd set up to allow for remote configuration (not allowed by
           default), and
        2. knowledge of the configuration password, and
        3. access to a computer entrusted to perform remote
           configuration.
    Mitigation:
         ◦ Upgrade to 4.2.8p3-RC1 or 4.3.25, or later, from the NTP
           Project Download Page or the NTP Public Services Project
           Download Page
         ◦ Be prudent when deciding what IP addresses can perform remote
           configuration of an ntpd instance.
         ◦ Monitor your ntpd instances. 
    Credit: This weakness was discovered by Aleksis Kauppinen of
    Codenomicon. 

Change History (2)

comment:1 by bdubbs@…, 6 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 6 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 16210.

Note: See TracTickets for help on using tickets.